This repository has been archived by the owner on Dec 1, 2021. It is now read-only.
Kibana logout not working when logout is initiated from keycloak #17
Comments
|
Any updates? |
|
Any updates on this issue? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Versions used:
Kibana(oss): 7.10.2
Opendistro-security - 1.13.1.0
Issue: Kibana logout not working with single-sign out and with OP (keycloak) initiated logout.
Scenario -
Kibana is installed with openid_auth enabled. If we login to kibana and logout from it, it works fine.
However, if we login to the kibana UI (say as testuser) and then logout/terminate the active sessions of this user from keycloak admin console, keycloak does not show any active sessions for the user, however, kibana UI does not logout, stays logged in as testuser and remains accessible.
Only a) if we explicitly log out from kibana UI's logout button or b) if we delete the security_authentication cookies created by Kibana in the browser, only then kibana logs out and redirects to authentication page.
Tried two approaches :
Configuring opendistro_security.openid.logout_url:
opendistro_security.openid.logout_url | The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata.The metadata endpoint url of my keycloak server does publish the end_session_endpoint" as https://{{ip}}/auth/realms//protocol/openid-connect/logout".
As per the document, tried explicitly configuring:
opendistro_security.openid.logout_url: https://{{ip}}/auth/realms/{{realm}}/protocol/openid-connect/logout ,
but this did not help.
Configuring Backchannel Logout URL for the client in keycloak
As per keycloak,
Backchannel logout url is URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout request will be sent to the client in this case.Configured the backchannel logout url as kibana logout url
i.e. backchannel logout url: https://{{kibana:5601}}/api/v1/auth/logout
With this too, the behaviour remains same and kibana does not log out.
Kibana logs on triggering logout from keycloak -
{"type":"response","@timestamp":"2021-10-27T08:38:36Z","tags":[],"pid":10,"method":"post","statusCode":400,"req":{"url":"/api/v1/auth/logout","method":"post","headers":{"content-length":"859","content-type":"application/x-www-form-urlencoded; charset=UTF-8","host":"w.x.y.z:30603","connection":"Keep-Alive","user-agent":"Apache-HttpClient/4.5.13 (Java/11.0.12)","accept-encoding":"gzip,deflate"},"remoteAddress":"w.x.y.z","userAgent":"w.x.y.z"},"res":{"statusCode":400,"responseTime":17,"contentLength":9},"message":"POST /api/v1/auth/logout 400 17ms - 9.0B"}This is a major bug in kibana openid_auth authentication.
Any ideas on the root cause and how this can be mitigated?
The text was updated successfully, but these errors were encountered: